[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ;binary migration solution
Steven Legg writes:
> As things stand today, we have a significant body of LDAPv3 compliant
> implementations that expect to get back "userCertificate;binary" from
> a request for "*".
I can think of a few ways to handle that, all of them ugly:
- Go back to my first suggestion.
If an attribute is added with ;binary, it is returned with ;binary.
Possibly unless it is asked for without ;binary, which causes
the server to strip away ;binary in the result.
Thus, the administrator can add certificates with ;binary if he
has such clients.
If the same site also has clients that wants userCertificate without
;binary, they lose.
- Treat ;binary as a normal tagging option. Add userCertificate;binary
and get userCertificate;binary back. If there are also clients that
want it without ;binary, add plain userCertificate as well.
- Let the attribute syntax handle ;binary. If an attribute has a
"binary syntax", it is returned with ;binary.
This breaks clients which do not want ;binary added.
How common are clients like you describe, compared to
(a) clients that do not want ;binary and ask for userCertificate,
(b) clients that do not want ;binary and ask for *?
> In any phased migration away from the use of ";binary",
> at some point compliant directory servers will have to change from
> returning userCertificate;binary to just returning userCertificate and
> this will break currently conformant clients.
>
> David Chadwick is the only one who has proposed a safe way to
> effect a migration (using controls). However, since such a migration
> delivers no practical benefit to conformant PKI clients (just a different
> way of asking for the same thing), I think the pain of migration is
> not justified.
Yes, it may be just as well to keep asking for ;binary.
BTW, as far as I can tell, my and David's proposal make migration
more or less equally hard:
Client side:
- update to try DontUseBinary (David's) or to ask for ;binary (mine).
Server side:
- update to let syntaxes ensure binary transfer.
- update to handle DontUseBinary or no-op ;binary
Client side, when serveres have been upgraded:
- remove DontUseBinary (David's) or remove ;binary (mine).
Server side, when clients have been upgraded:
- remove support for DontUseBinary and ;binary.
--
Hallvard